Until recently, setting bad credentials when making a call to an unauthenticated endpoint would result in a 200 (and the response body). However repeated calls with bad credentials would lock out the account. We recently started returning an error message indicating the account was locked out. Today we're fixing this the rest of the way, and returning a 401 for any calls that have bad credentials passed in. If you start seeing increased 401s on unauthenticated endpoints it's likely that your credentials have always been invalid, we're just letting you know now.
---Mark http://twitter.com/mccv
